Mixed Messages

Proposals in Washington to make it easier to crack encrypted messages, coming in the wake of last month's terrorist attacks, have put lawmakers at odds with U.S. businesses. More than two-thirds of U.S. companies use encryption as an everyday business tool, according to an InformationWeek Research survey. Some businesses now worry that legislation intended to help law-enforcement personnel decode encrypted data and communications could harm corporate security.

While no direct evidence has surfaced to indicate that encryption played a role in the events leading up to the attacks, intelligence agencies say criminals and anti-American groups, including Osama bin Laden's al Qaeda terrorist group, have in the past used encryption to protect their phone conversations and E-mail communications. Now, legislators are calling for laws that would make such conversations and messages less private by creating a "back door" in encryption products.

That worries some IT managers. "It's imperative for any company that customers have confidence their personal data is secure," says John Wade, VP of Internet systems at catalog and Internet retailer Bear Creek Corp. in Medford, Ore. "If customers feel their information isn't safe, it will hurt business for all of us." Bear Creek encrypts credit-card and other sensitive customer data.

Dave Barnett, security architect at Kaiser Permanente, a health-care organization in Oakland, Calif., says any changes intended to weaken the ability of criminals to use encryption for illicit activities also will diminish its effectiveness for legitimate purposes. Kaiser Permanente is required by law to keep patient information private and secure, so it encrypts all data it transmits across the Internet. "It's critical for us to protect the privacy and confidentiality of our patients," he says.

Barnett realizes it's a sticky issue. "We don't want to allow terrorism," he says. "Yet, I don't know how we can deny terrorists the ability to encrypt and retain our ability to encrypt."

According to an InformationWeek Research survey of 500 business-technology professionals, conducted in conjunction with the President's Export Council Subcommittee on Encryption in the weeks before the attacks, almost half the companies queried encrypt stored and transmitted data, most often financial and personnel files and high-level executive correspondence. Of the companies using encryption, 71% say they're highly committed to it. (For more survey results, go to informationweek.com/857/encryption.htm.)

Sen. Judd Gregg, R-N.H., is leading the charge for greater government access to encrypted data. Gregg says he wants to "protect the civil rights of individuals ... yet still allow our law-enforcement community, when it sees a need, to be able to break a code." His plan, proposed after the Sept. 11 attacks, would create a quasijudicial agency to hold "keys" that could be used to unscramble encrypted communications. Law-enforcement officials could get access to those keys only when authorized by court order.

The proposal is likely to run into opposition from critics who say that weakening encryption products will have minimal impact on criminals and terrorists, as well as from businesses that rely on strong encryption to safeguard crucial data and communications. What's more, opponents say, the proposals, if enacted, wouldn't affect the millions of copies of encryption applications already in use. "The bad guys will just start using encryption products from other countries or earlier versions of products that don't have back doors," says Phil Zimmermann, a security consultant and the programmer who created the widely used Pretty Good Privacy encryption software.

Most Web browsers and many other applications available today have strong encryption built in. "The genie is out of the bottle at this point," says Bruce Ide, a software engineer with systems integrator EDS. What's more, he says, any legislation that weakens encryption would also weaken security on the Internet. "There are benefits of encryption that are absolutely vital to the Internet, such as the ability to authenticate that somebody is really who they say they are."

Creating a so-called back door to encryption also raises the probability that an unwelcome party could exploit it. "That's not a good trade-off," says Bill Crowell, president and CEO of security vendor Cylink Corp. and former deputy director of the National Security Agency. Most of the information protected by encryption is recoverable by other means, he argues.

John Podesta, a law professor at the Georgetown University Law Center and chief of staff in the Clinton White House, says Gregg's proposal "is neither practical nor the right policy to pursue." The Clinton administration fought and lost its own encryption policy battle with its proposed "Clipper" chip key-escrow system.

Still, Americans seem to support the idea. A poll conducted by Princeton Survey Research on Sept. 13 and 14 found that 72% believe that stronger encryption controls would be helpful in preventing a repeat of the terrorist attacks.

Whatever the outcome, the encryption discussion takes place in the context of others on security, post-Sept. 11. Sen. Ron Wyden, D-Ore., for example, last week proposed the creation of a National Emergency Technology Guard, a volunteer organization of IT professionals that would help restore crucial communications after disasters. Others have called for the creation of national identity cards and for an expansion of law-enforcement agencies' ability to wiretap suspected terrorists' phone calls and monitor E-mail.

Where encryption fits into the new security landscape remains to be seen. But one thing seems clear: New rules designed to limit the ability of terrorists to use encryption will have an effect on companies that use it to conduct their daily business.